If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Redirecting and stuff

Hi, (again) I've recently picked up a redirect that I'd like some help with, hoping I haven't worn out your patience and I can get your opinion on these logs. I pulled this off the Wireshark, maybe useful, but this is probably a somewhat involved infection...
[ds-global3.17.search.ystg1.b.yahoo .com] [IP= 98.136.144.138]

System errors:
=============
Error: (05/15/2019 02:01:25 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Razer Synapse Service service depends on the Razer Game Manager Service service which failed to start because of the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (05/15/2019 02:01:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The RzActionSvc service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (05/15/2019 02:01:25 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the RzActionSvc service to connect.

Error: (05/15/2019 02:01:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Razer Game Manager Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (05/15/2019 02:01:24 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Razer Game Manager Service service to connect.

Error: (05/15/2019 02:00:49 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The APXACC service failed to start due to the following error:
A device attached to the system is not functioning.

Error: (05/15/2019 01:59:11 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Razer Synapse Service service.

CodeIntegrity:
===================================

Date: 2019-05-15 14:01:03.837
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-15 14:01:03.813
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-15 14:01:03.369
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-15 14:01:03.337
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-14 15:40:04.377
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-14 15:40:04.183
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-14 15:40:03.785
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-14 15:40:03.660
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file Fixlog.txt will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan Logs v.1.0

No worries on the response time, I'm very patient while getting free, good advice. The logs attached logs reflect a lot of fixes and the restarts were pretty involved, still not out of the proverbial "woods" yet though. At this point the redirect is still saying "Yahoo" (sorry, couldn't resist the pun) I do still see a lot of site traffic on the wireshark that I wish I didn't, this will likely be a rather involved process judging by what I've been watching. I do believe I mentioned once, a popular site for downloading tools etc. that I picked up a "bad" tool from. That was only one of the problems I have documented in captures, screenshots and graphs. This is probably more than script kids just messing around, at least that's my impression. 1st, some detail on the browser redirect. It doesn't seem to be redirecting bookmarked or linked sites, thus I'm able to log into some sites with no apparent problem. Any use of the search bar itself inevitably leads to the yahoo page, no exceptions. I do clear and block cookies in my FF browser as well as the supercookies, in spite of the block, they still reinstall. another point worth mentioning, is that the redirect page added a very cheesy Norton logo to itself, but it wasn't hard to spot the "yahoo format". On the upside, I wasn't terribly surprised to see an account was logged out of during one of the fix restarts.

Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file Fixlog.txt will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Has Symantec/Nortons working as it should?

~~~~~~~~~~~~~~~~~~

Emsisoft Emergency Kit - Fix Mode
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.

Download the Emsisoft Emergency Kit and execute it. From there, click on the Install button to extract the program in the EEK folder;

Once the extraction is complete, the EEK folder will open. Right-click on start emergency kit scanner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);

EEK will suggest that you run an online update before using the program. Click on Yes to launch it.

After the update, click on Malware Scan under 2. Scan and accept to let EEK detect PUPs (click on Yes).

Once the scan is complete, make sure that every item in the list is checked, and click on the Quarantine selected button;

If it asks you for a reboot to delete some items, click on Ok to reboot automatically;

After the restart, open EEK again (in the C:\EEK folder);

This time, click on Logs;

From there, go under the Quarantine Log tab, and click on the Export button;

Save the log on your desktop, then open it, and copy/paste its content in your next reply;

Please post these 2 logs when finished.

Also, tell me how the computer is now.

Windows Insider MVP Consumer Security 2009 - 2017Please do not PM me for Malware help, we all benefit from posting on the open board.

"Has Symantec/Nortons working as it should?"

About the title of this reply... no, not so much. When I realized what I was looking at (It's pretty ambiguous to a newbie) I ran a clean FRST, then started this thread as well as contacted Norton support with a ticket being as their logs showed a particular intrusion being blocked twice before being logged in as a public network as well as my Norton control panel showed a "smart" firewall that looked way loose. I don't honestly know the differences, so, rely on Norton default settings. lately I notice major settings changes I didn't make, this should give an indicator of how penetrated things are. Point is I can't, with my skill set trust the defaults... I'm getting distracted, back to Norton support, I submitted a screen shot from the FRST, showing a particular Norton component that seemed relevant. they replied, no that's safe, case closed. I reopen with the ticket, uploading the complete FRST logs to them, the FireFox profile defaults alone should have told them they had a problem with there default search. Reply was "no problems, case closed" At that point, I've let it slide and focused on documenting the infection as I work on it here. I can, and will reopen the support ticket. I just don't want to get two fixes conflicting, so at any point that you want, I'll have them use remote login. This will get more involved than just a malware fix, I was thinking that there are aspects we will see that may just look familiar to other readers and overall be at least useful. It's important for people (especially the average user like myself) to realize that my only clue, without special tools running, would have been anything other than that their browser preferred Yahoo. Many people don't really care and would have looked no further, but we are way down a metaphorical "rabbit hole" and its not obvious unless I look in the correct places that anythings really wrong. ( I am piling up Gigs and Gigs of data as this progresses, but there will be interesting things to see) I'll bet for example that the public connection was a "pub. server" that is one port I don't want to see active.
The Emsi logs reflect a scan run in a default admin mode, it took off and ran without letting me check anything. I'll attach the full copy/pasted url on the redirect (It's rather involved) along with an overall screenshot of the site. It's worth noting that entering the full url into VirusTotal links to the Yahoo that gets a 0/70 perfect detection score, but wait for it... when you switch to open it in Graphs, you get a "No results" result. (I love Irony, but that stinks)
If I should get knocked off this machine I'll be in touch through the back up address I gave earlier, thanks again for your help.

The reason I had asked if Nortons was working as it should is because I had seen a few errors reported through FRST
Date: 2019-05-15 14:01:03.837
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Through trying to go into help pages, others with the same issue, there actually was no resolve since they felt it was related to the security panel as being recognized as your antivirus, and it is....

OK
What we can do, remove the browser helpers from Nortons (If it will allow it), then reset the browsers back to default and see if this can stop whats been happening.

Start Farbar Recovery Scan Tool with Administrator privileges
(Right click on the FRST icon and select Run as administrator)

highlight on the text below and select Copy.
beginning with Start:: and finishing with End::
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file Fixlog.txt will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

More "Stuff"

The info on the errors that you posted was very interesting, and would account for some whacko behavior I've been watching lately. I did recognize some of that from logs we recently dealt with. Things got so flakey after my last post that I did a login remote with Norton, after about three hours, they ended up dumping my Frst and Emsi software as well as a couple of bat files that I was wondering about anyway.
At any rate, one tech tweaked the browser settings to search google by way of Bing, This worked briefly for my Firefox but the Yahoo cookies/data reinstalled around the block I have and once again I'm redirecting to "Yahoo know who" ( Watch for updates soon).
With the changes N.S. made, I'm not sure the original Frst scan entry logs are as relevant as when we began this thread. I did run the latest fixlist though but I'll wait for your opinion. Along with latest frst fixlog, I'll be posting a txt file that is the full url it loads for a search of "safernetworking" If I click the link to go to most relevant (and this page looks pretty sharp) I get a "failed connection" load, as well as a screenshot of a (very high probability) fake page that loaded as the remote tech tried to re-establish a blocked connection. (If that url posts as a live link please avoid it, I'll separate the first line yahoo and the .com part as a precaution. In case someone wants to intentionally connect to it they will need to close that space.)

Still chipping away

I've attached the latest scans as well as went over #7 again, It is entirely possible that I'm getting something wrong but i believe its correct. I did, early in this process reset my FF, things got really, noticeably stranger after that. This time, things started up with a boatload of new trackers including our friendly Yahoo junk. I haven't checked the super list yet but I'll bet its going to be... prolific. One thing I did notice while messing around in edge, is there are two accounts, mine and one titled work, school or group, I believe. I'm curious because it seem to be a working account(I don't want to open it at this point) and I see network connections from time to time that I can't make sense of. I also in mDNS devices at random times, a program called, I believe, tcp-scan-local(close approximation only), it says its attached to my Kodak software... the one with all the unsigned files, and is connecting to a lot more than I believe it really needs access to. I also would like to see the media device designation my c drive gives to the winmedia player, that might be leaky also. Oh ya, I'm still locked out of my VT account there seems to be a problem with the two factor authentication, still working on that. Thanks again.
The attached png is a shot of a site and software I don't know, but it appears to be a vector point while going through logs on the W S, VT as well as other points.
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-05.2019
Ran by oldman (administrator) on EUSTACE (Hewlett-Packard HP Pavilion g6 Notebook PC) (20-05-2019 12:06:12)
Running from C:\Users\oldman\Desktop
Loaded Profiles: oldman (Available Profiles: oldman)
Platform: Windows 10 Home Version 1809 17763.503 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

System errors:
=============
Error: (05/20/2019 12:01:46 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The APXACC service failed to start due to the following error:
A device attached to the system is not functioning.

Error: (05/19/2019 04:33:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The APXACC service failed to start due to the following error:
A device attached to the system is not functioning.

Error: (05/19/2019 04:28:07 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
An instance of the service is already running.

CodeIntegrity:
===================================

Date: 2019-05-20 12:01:59.049
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-20 12:01:58.992
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-20 12:01:58.915
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-20 12:01:58.838
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-19 16:33:17.011
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-19 16:33:16.722
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-19 16:33:16.400
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2019-05-19 16:33:15.997
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Norton Security\Engine\22.17.1.50\WSCStub.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.